Factoring Polynomials over Finite Fields using Balance Test

(1)

HAL Id: hal-00255827

https://hal.archives-ouvertes.fr/hal-00255827

Submitted on 14 Feb 2008

HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

Test

Chandan Saha

To cite this version:

Chandan Saha. Factoring Polynomials over Finite Fields using Balance Test. STACS 2008, Feb 2008,

Bordeaux, France. pp.609-620. �hal-00255827�

(2)

hal-00255827, version 1 - 14 Feb 2008

FACTORING POLYNOMIALS OVER FINITE FIELDS USING BALANCE TEST

CHANDAN SAHA

Department of Computer Science and Engineering, Indian Institute of Technology, Kanpur E-mail address: [email protected]

Abstract. We study the problem of factoring univariate polynomials over finite fields.

Under the assumption of the Extended Riemann Hypothesis (ERH), Gao [Gao01] designed a polynomial time algorithm that fails to factor only if the input polynomial satisfies a strong symmetry property, namely square balance. In this paper, we propose an extension of Gao’s algorithm that fails only under an even stronger symmetry property. We also show that our property can be used to improve the time complexity of best determinis- tic algorithms on most input polynomials. The property also yields a new randomized polynomial time algorithm.

1. Introduction

We consider the problem of designing an efficient deterministic algorithm for factoring a univariate polynomial, with coefficients taken from a finite field. The problem reduces in polynomial time to the problem of factoring a monic, square-free and completely splitting polynomial f(x) with coefficients in a prime field F p (see [Ber70], [LN94]). Although there are efficient polynomial time randomized algorithms for factoring f (x) ([Ber70], [CZ81], [vzGS92], [KS95]), as yet there is no deterministic polynomial time algorithm even under the assumption of the Extended Riemann Hypothesis (ERH). In this paper we will assume that ERH is true and ξ ₁ , ξ ₂ , . . . , ξ _n are the n distinct roots of the input polynomial f ,

f (x) =

n

Y

i=1

(x − ξ i ) where ξ i ∈ F p

In 2001, Gao [Gao01] gave a deterministic factoring algorithm that fails to find non- trivial factors of f in polynomial time, if f belongs to a restricted class of polynomials, namely square balanced polynomials. Motivated by the work of Gao [Gao01], we have de- fined a proper subclass of square balanced polynomials, namely cross balanced polynomials, such that polynomials that are not cross balanced, can be factored deterministically in polynomial time, under the assumption of the ERH.

Our contribution can be summarized as follows. Let f be a monic, square-free and completely splitting polynomial in F p [x] with n roots ξ ₁ , . . . , ξ n . Our factoring algorithm uses an arbitrary (but deterministically chosen) collection of k = (n log p) ^O(1) (n = deg(f ))

Key words and phrases: Algebraic Algorithms, polynomial factorization, finite fields.

c

Chandan Saha

CC Creative Commons Attribution-NoDerivs License

(3)

small degree auxiliary polynomials p ₁ (.), . . . , p k (.), and from each p l (·) (1 ≤ l ≤ k) and f it implicitly constructs a simple n-vertex digraph G _l such that, (for l > 1) G _l is a subgraph (not necessarily a proper subgraph) of G _l−1 . A proper factor of f is efficiently retrieved if any one of the graphs is either not regular, or is regular with in degree and out degree of every vertex less than a chosen constant c. This condition of regularity of all the k graphs imposes a tight symmetry condition on the roots of f , and we point out that this may be exploited to improve the worst case time complexity of the best known deterministic algorithms. Further, we show that if the polynomials p l (·) (1 ≤ l ≤ k) are randomly chosen then the symmetry breaks with high probability and our algorithm works in randomized polynomial time. We call the checking of this symmetry condition a balance test.

We now present a little more details. Define the sets ∆ i for 1 ≤ i ≤ n as,

∆ _i = {1 ≤ j ≤ n : j 6= i, σ((ξ _i − ξ _j ) ² ) = −(ξ _i − ξ _j )}

where σ is the square root algorithm described in [Gao01] (see section 2.4). The polynomial f is called a square balanced polynomial (as in [Gao01]) if #∆ ₁ = . . . = #∆ n . For l > 1, define polynomial f _l as,

f _l =

n

Y

i=1

(x − p _l (ξ i ))

where p l (.) is an arbitrary but deterministically chosen polynomial with degree bounded by (n log p) ^O(1) . Further, p _l

₁

(.) 6= p _l

₂

(.) for l ₁ 6= l ₂ , and f ₁ is taken to be f i.e. p ₁ (y) = y.

Assume that, for a given k = (n log p) ^O(1) , for every l, 1 ≤ l ≤ k, polynomial f l = ˜ f _l ^d

^l

, where ˜ f _l is a square-free and square balanced polynomial and d _l > 0. Later, we show that, if f _l is not of the above form then a proper factor of f can be retrieved efficiently. For each polynomial f l , 1 ≤ l ≤ k, define the sets ∆ ^(l) _i for 1 ≤ i ≤ n as,

∆ ^(l) _i = {1 ≤ j ≤ n : p _l (ξ _i ) 6= p _l (ξ _j ), σ((p _l (ξ _i ) − p _l (ξ _j )) ² ) = −(p _l (ξ _i ) − p _l (ξ _j ))}

Further, define the sets D i (l) iteratively over l as, D ⁽¹⁾ _i = ∆ ⁽¹⁾ _i

For l > 1, D _i ^(l) = D _i ^(l−1) ∩ ∆ ^(l) _i

If D _i ^(l) = φ for all i, 1 ≤ i ≤ n, then redefine D _i ^(l) as D ^(l) _i = D _i ^(l−1) . For 1 ≤ l ≤ k, let G _l be a directed graph with n vertices v ₁ , . . . , v n , such that there is an edge from v _i to v _j if and only if j ∈ D ^(l) _i . Note that, G _l is a subgraph of G _l−1 for 1 < l ≤ k. Denote the in degree and out degree of a vertex v i by indeg(v i ) and outdeg(v i ), respectively. We say that the graph G _l is regular (or t-regular ) if indeg(v ₁ ) = outdeg(v ₁ ) = . . . = indeg(v _n ) = outdeg(v _n ) = t. Call t as the regularity of G _l . The following theorem is proved in this paper.

Theorem 1.1. Polynomial f can be factored into nontrivial factors in time l · (n log p) ^O(1) if G l is not regular for some l, 1 ≤ l ≤ k. Further, if G ₁ , . . . , G k are all regular and for at least ⌈log ₂ n⌉ of the graphs we have G _l 6= G _l−1 (1 < l ≤ k), then f can be factored in k · (n log p) ^O(1) time.

Note that, G ₁ is regular if and only if f is square balanced, as ∆ ⁽¹⁾ _i = ∆ _i , for 1 ≤ i ≤ n and

G ₁ is in fact a regular tournament.

(4)

Suppose f (y) splits as f (y) = (y − X)· f ^′ (y) in the quotient ring R = ^F _(f

^p

^[x] ₎ where X = x mod f . Our algorithm iteratively tests graphs G ₁ , G ₂ , . . . so on, to check if any one of them is not regular. If at the l ^th iteration graph G l turns out to be not regular, then a proper factor of f is obtained in polynomial time. However, if G _l is regular, then the algorithm returns a nontrivial monic factor g l (y) of f ^′ (y) with degree equal to the regularity of G l . Moreover, g _l (y) is also a factor of (although may be equal to) g _l−1 (y), the factor obtained at the (l − 1) ^th iteration, and it can be ensured that if g l (y) is a proper factor of g _l−1 (y) (which happens iff G l 6= G _l−1 ) then deg(g l (y)) ≤ ¹ ₂ · deg(g _l−1 (y)). Thus, if the graphs repeatedly turn out to be regular (which in itself is a stringent condition) and for at least ⌈log ₂ n⌉

times it happen that G _l 6= G _l−1 , for 1 < l ≤ k, then we obtain a nontrivial linear factor g(y) of f ^′ (y). The element −g(0) defines a nontrivial endomorphism in the ring R, and by using a result from [Evd94] (Lemma 9 in [Evd94]) we can find a proper factor of f in polynomial time. Further, if for only ǫ⌈log ₂ n⌉ times we get G l 6= G _l−1 (1 < l ≤ k) for some ǫ, 0 < ǫ ≤ 1, then we obtain a nontrivial factor g(y) of f ^′ (y) with degree at most ⁿ

^1−ǫ

₂ . Now if we apply Evdokimov’s algorithm ([Evd94]) on g(y) (instead of f ^′ (y)), we can get a proper factor of f in time (n

^(1−ǫ)2²

^log ^n+ǫ+c

¹

log p) ^c

²

(c ₁ and c ₂ are constants). For most polynomials ǫ > 0 (i.e. at least about _log ¹ _n ) and this gives an improvement over the time complexity of (n

¹²

^log ^n+c

¹

log p) ^c

²

in [Evd94] (c ₁ , c ₂ are the same constants).

Assuming n << p, all the best known deterministic algorithms (e.g. [Evd94], [CH00]) use computations in rings with large dimensions over F _p to get smaller degree factors of f ^′ (y). Unlike these approaches, the balance test is an attempt to exploit an asymmetry among the roots of the input polynomial to obtain smaller degree factors of f ^′ (y) without carrying out computations in rings with large dimensions over F _p . This attribute of our approach yields a better time complexity for most polynomials in a way as discussed in the previous paragraph.

It is sufficient to choose the auxiliary polynomials p l (y), 1 < l ≤ k, in such a way that the graphs, if regular, are not all the same for too long, if their regularities are large. An efficient and deterministic construction of such auxiliary polynomials will immediately imply that factorization of univariate polynomials over finite fields can be done in deterministic polynomial time under ERH. In this paper we assume that the auxiliary polynomials are arbitrary but deterministically chosen polynomials with degree bounded by (n log p) ^O(1) . For example, one possibility is to choose p _l (y) = y ^l for 1 ≤ l ≤ k. (In fact, Gao [Gao01]

used this choice of auxiliary polynomials to define a restricted class of square balanced polynomials called super square balanced polynomials.) We show that, if random choices of auxiliary polynomials are allowed then our algorithm works in randomized polynomial time.

For the graphs to be all regular and equal, the roots of f must satisfy a tight symmetry condition (given by equal sizes of all the sets D ^(l) _i , for 1 ≤ i ≤ n and 1 ≤ l ≤ k) and it is only then that our algorithm fails to factor f .

Definition 1.1. A polynomial f is called k-cross balanced, for k > 0, if for every l, 1 ≤ l ≤ k, polynomial f _l = ˜ f _l ^d

^l

, where ˜ f _l is a square-free, square balanced polynomial with d _l > 0, and graph G l is regular.

It follows from the definition that, 1-cross balanced polynomials form the class of square

balanced polynomials. Let k = (n log p) ^O(1) be some fixed polynomial in n and log p. A

polynomial f is called cross balanced if it is k-cross balanced and regularity of graph G k is

(5)

greater than a fixed constant c. From Theorem 1.1 and [Evd94] it follows that, polynomials that are not cross balanced can be factored deterministically in polynomial time.

2. Preliminaries

Assume that f is a monic, square-free and completely splitting polynomial over F _p and R = ^F _(f)

^p

^[x] is the quotient ring consisting of all polynomials modulo f .

2.1. Primitive Idempotents

Elements χ ₁ , . . . , χ n of the ring R are called the primitive idempotents of R if, P n i=1 χ i = 1 and for 1 ≤ i, j ≤ n, χ _i · χ _j = χ _i if i = j and 0 otherwise. By Chinese Remaindering theorem, R ∼ = F p ⊕ . . . ⊕ F p (n times), such that every element in R can be uniquely represented by an n-tuple of elements in F _p . Addition and multiplication between two elements in R can viewed as componentwise addition and multiplication of the n-tuples.

Any element α = (a ₁ , . . . , a _n ) ∈ R can be equated as, α = P n

i=1 a _i χ _i where a _i ∈ F _p . Let g(y) be a polynomial in R[y] given by,

g(y) =

m

X

i=0

γ _i y ⁱ where γ _i ∈ R and γ i =

n

X

j=1

g ij χ j where g ij ∈ F p for 0 ≤ i ≤ m and 1 ≤ j ≤ n.

Then g(y) can be alternatively represented as, g(y) =

n

X

j=1

g j (y)χ j where g j (y) =

m

X

i=0

g ij y ⁱ ∈ F p [y] for 1 ≤ j ≤ n.

The usefulness of this representation is that, operations on polynomials in R[y] (multi- plication, gcd etc.) can be viewed as componentwise operations on polynomials in F _p [y].

2.2. Characteristic Polynomial Consider an element α = P n

i=1 a i χ i ∈ R where a i ∈ F p , 1 ≤ i ≤ n. The element α defines a linear transformation on the vector space R (over F _p ), mapping an element β ∈ R to αβ ∈ R. The characteristic polynomial of α (viewed as a linear transformation) is independent of the choice of basis and is equal to

c α (y) =

n

Y

i=1

(y − a i ),

In order to construct c α one can use 1, X, X ² , . . . , X ⁿ⁻¹ as the basis in R and form the matrix (m _ij ) where α · X ^j−1 = P n

i=1 m _ij X ⁱ⁻¹ , m _ij ∈ F _p , 1 ≤ i, j ≤ n. Then c _α can be

constructed by evaluating det(y · I − (m ij )) at n distinct values of y and solving for the n

coefficients of c _α using linear algebra. The process takes only polynomial time. The notion

of characteristic polynomial extends even to higher dimensional algebras over F p .

(6)

2.3. GCD of Polynomials Let g(y) = P n

i=1 g i (y)χ i and h(y) = P n

i=1 h i (y)χ i be two polynomials in R[y], where g _i , h _i ∈ F _p [y] for 1 ≤ i ≤ n . Then, gcd of g and f is defined as,

gcd(g, f) =

n

X

i=1

gcd(g _i , h _i )χ _i

We note that, the concept of gcd of polynomials does not make sense in general over any arbitrary algebra. However, the fact that R is a completely splitting semisimple algebra over F _p allows us to work component-wise over F _p and this makes the notion of gcd meaningful in the context. The following lemma was shown by Gao [Gao01].

Lemma 2.1. [Gao01] Given two polynomials g, h ∈ R[y], gcd(g, h) can be computed in time polynomial in the degrees of the polynomials, n and log p.

2.4. Gao’s Algorithm

Let R = ^F _(f)

^p

^[x] = F _p [X] where X = x mod f and suppose that f (y) splits in R as, f (y) = (y − X)f ^′ (y). Define quotient ring S as, S = ^R[y] _(f

′

) = R[Y ] where Y = y mod f ^′ . S is an elementary algebra over F p with dimension n ^′ = n(n − 1). Gao [Gao01] described an algorithm σ for taking square root of an element in S. If p − 1 = 2 ^e w where e ≥ 1 and w is odd, and η is a primitive 2 ^e -th root of unity, then σ has the following properties:

(1) Let µ ₁ , . . . , µ _n

^′

be primitive idempotents in S and α = P n

^′

i=1 a _i µ _i ∈ S where a _i ∈ F _p . Then, σ(α) = P n

^′

i=1 σ(a _i )µ _i .

(2) Let a = η û θ where θ ∈ F _p with θ ^w = 1 and 0 ≤ u < 2 ê . Then σ(a ² ) = a iff u < 2 ê−1 . When p = 3 mod 4, η = −1 and property 2 implies that σ(a ² ) = a for a ∈ F p iff a is a quadratic residue in F p .

Algorithm 1. [Gao01]

Input: A polynomial f ∈ F p [x].

Output: A proper factor of f or output that “f is square balanced”.

1. Form X, Y , R, S as before.

2. Compute C = ¹ ₂ (X + Y + σ((X − Y ) ² )) ∈ S.

3. Compute the characteristic polynomial c(y) of C over R.

4. Decompose c(y) as c(y) = h(y)(y − X) ^t , where t is the largest possible.

5. If h(X) is a zero divisor in R then find a proper factor of f , otherwise output that “f is square balanced”.

It was shown in [Gao01] that Algorithm 1 fails to find a proper factor of f if and only if f is square balanced. Moreover, it follows from the analysis in [Gao01] (see Theorem 3.1 in [Gao01]) that, when f is square balanced the polynomial h(y) takes the form,

h(y) =

n

X

i=1



 Y

j∈∆

i

(y − ξ j )



 χ i

where ∆ _i = {j : j 6= i, σ((ξ _i − ξ _j ) ² ) = −(ξ _i − ξ _j )} and #∆ _i = ⁿ⁻¹ ₂ for all i, 1 ≤ i ≤ n.

(7)

3. Our Algorithm and Analysis

In this section, we describe our algorithm for factoring polynomial f . We show that the algorithm fails to factor f in k · (n log p) ^O(1) time if and only if f is k-cross balanced and regularity of G k is greater than c. The algorithm involves k polynomials, f = f ₁ , . . . , f k , where polynomial f _l , 1 < l ≤ k, is defined as,

f l =

n

Y

i=1

(x − p l (ξ i ))

where p l (.) is an arbitrary but deterministically fixed polynomial with degree bounded by (n log p) ^O(1) and p _l

₁

(.) 6= p _l

₂

(.) for l ₁ 6= l ₂ . The polynomial f _l can be constructed in polynomial time by considering the element p _l (X) in R = ^F _(f)

^p

^[x] = F _p [X], where X = x mod f , and then computing its characteristic polynomial over F p .

Lemma 3.1. If f l is not of the form f l = ˜ f l d

l

, where f ˜ l is a square-free, square balanced polynomial and d _l > 0, then a proper factor of f can be retrieved in polynomial time.

Proof: By definition, f _l = Q n

i=1 (x − p _l (ξ _i )). Define the sets E _i , for 1 ≤ i ≤ n, as E i = {1 ≤ j ≤ n : p l (ξ j ) = p l (ξ i )}. Consider the following gcd in the ring R[y],

g(y) = gcd (p _l (y) − p _l (X), f (y)) =

n

X

i=1



 Y

j∈E

i

(y − ξ _j )



 χ _i

The leading coefficient of g(y) is a zero-divisor in R, unless #E ₁ = . . . = #E _n = d _l (say).

Therefore, we can assume that, f _l =

m

l

Y

j=1

x − p _l (ξ _s

_j

) d

l

where p _l (ξ _s

₁

), . . . , p _l (ξ _s

_ml

) are all distinct and m _l = n d _l

= f ˜ _l ^d

^l

where ˜ f _l =

m

l

Y

j=1

x − p _l (ξ s

j

)

is square-free.

If polynomial ˜ f _l (obtained by square-freeing f _l ) is not square balanced then a proper factor

˜

g _l of ˜ f _l is returned by Algorithm 1. But then,

gcd ( ˜ g l (p l (x)), f (x)) = Y

j: ˜ g

l

(p

l

(ξ

j

))=0

(x − ξ j ) is a proper factor of f .

Algorithm 1 works with ˜ f l = Q m

l

j=1 x − p l (ξ s

j

)

as the input polynomial where p l (ξ s

j

)’s are distinct and m l = _d ⁿ

l

, and returns a polynomial h l (y) such that, h _l (y) =

m

l

X

j=1





 Y

r∈ ∆ ˜

^(l)_j

(y − p _l (ξ _s

_r

))





 χ ^(l) _j (3.1)

where χ ^(l) _j ’s are the primitive idempotents of the ring R _l = ^F

^p

^[x]

( ˜ f

l

) ,

∆ ˜ ^(l) _j = {1 ≤ r ≤ m _l : r 6= j, σ((p _l (ξ _s

_j

) − p _l (ξ _s

_r

)) ² ) = −(p _l (ξ _s

_j

) − p _l (ξ _s

_r

))}

(8)

and # ˜ ∆ ^(l) _j = ^m

^l

₂ ⁻¹ for 1 ≤ j ≤ m l . Assume that p > n ² and n is odd, as even degree polynomials can be factored in polynomial time. In the following algorithm, parameter k is taken to be a fixed polynomial in n and log p and c is a fixed constant.

Algorithm 2. Cross Balance

Input: A polynomial f ∈ F p [x] of odd degree n.

Output: A proper factor of f or “Failure”.

• Choose k − 1 distinct polynomials p ₂ (y), . . . , p _k (y) with degree greater than unity and bounded by a polynomial in n and log p. (We can use any arbitrary, efficient mechanism to deterministically choose the polynomials.) Take p ₁ (y) = y.

• for l = 1 to k do

[Steps (1) - (2): Constructing polynomial f l and checking if f can be factored using Lemma 3.1.]

(1) (Construct polynomial f l ) Compute the characteristic polynomial, c α (x), of element α = p _l (X) ∈ R, over F _p . Then f _l = c _α (x).

(2) (Check if f can be factored) Check if f _l is of the form f _l = ˜ f _l ^d

^l

, where ˜ f _l is a square-free, square balanced polynomial and d l > 0. If not, then find a proper factor of f as in Lemma 3.1.

[Steps (3) - (6): Constructing graph G _l implicitly.]

(3) (Obtain the required polynomial from Algorithm 1) Else, ˜ f _l is square balanced and Algorithm 1 returns a polynomial h _l (y) = y ^t + α ₁ y ^t−1 + . . . + α _t (as in equation 3.1), where t = ^m

^l

₂ ⁻¹ and α u ∈ R _l for 1 ≤ u ≤ t.

(4) (Change to a common ring so that gcd is feasible) Each α _u ∈ R _l is a polynomial α u (x) ∈ F p [x] of degree less than m l . Compute α ^′ _u as, α ^′ _u = α u (p l (x)) mod f, for 1 ≤ u ≤ t, and construct the polynomial h ^′ _l (y) = y ^t +α ^′ ₁ y ^t−1 +. . .+α ^′ _t ∈ R[y].

(5) (Construct graph G _l implicitly) If l = 1 then assign g _l (y) = h ^′ _l (y) ∈ R[y] and continue the loop with the next value of l. Else, construct the polynomial h ^′ _l (p _l (y)) by replacing y by p _l (y) in h _l (y) and compute g _l (y) as,

g l (y) = gcd(g _l−1 (y), h ^′ _l (p l (y))) ∈ R[y].

(6) (Check if G _l is a null graph) Let g _l (y) = β _t

^′

y ^t

^′

+ . . . + β ₀ , where t ^′ is the degree of g l (y) and β u ∈ R for 0 ≤ u ≤ t ^′ . If t ^′ = 0 then make g l (y) = g _l−1 (y) and continue the loop with the next value of l.

[Steps (7) - (8): Checking for equal out degrees of the vertices of graph G l .]

(7) (Check if out degrees are equal) Else, t ^′ > 0. If β t

^′

is a zero divisor in R, construct a proper factor of f from β _t

^′

and stop.

(8) (Factor if out degrees are small) Else, if t ^′ ≤ c then use Evdokimov’s algorithm [Evd94] on g _l (y) to find a proper factor of f in (n log p) ^O(1) time.

[Steps (9) - (11): Checking for equal in degrees of the vertices of graph G l .]

(9)

(9) (Obtain the values of a nice polynomial at multiple points) If t ^′ > c, eval- uate g _l (y) ∈ R[y] at n · t ^′ distinct points y ₁ , . . . , y _nt

^′

taken from F p . Find the characteristic polynomials of elements g _l (y ₁ ), . . . , g _l (y _nt

^′

) ∈ R over F _p as c ₁ (x), . . . , c _nt

^′

(x) ∈ F p [x], respectively. Collect the terms c i (0) for 1 ≤ i ≤ nt ^′ . (10) (Construct the nice polynomial from the values) Construct the polynomial

r(x) = x ^nt

^′

+r ₁ x ^nt

^′

⁻¹ +. . .+r _nt

^′

∈ F p [x] such that r(y i ) = −c i (0) for 1 ≤ i ≤ nt ^′ . Solve for r _i ∈ F _p , 1 ≤ i ≤ nt ^′ , using linear algebra.

(11) (Check if in degrees are equal) For 0 ≤ i < t ^′ , if f ⁱ (x) divides r(x) then compute gcd

r(x)

f

ⁱ

(x) , f (x)

∈ F p [x]. If a proper factor of f is found, stop. Else, continue with the next value of l.

endfor

• If a proper factor of f is not found in the above for loop, return “Failure”.

Theorem 3.2. Algorithm 2 fails to find a proper factor f in k · (n log p) ^O(1) time if and only if f is k-cross balanced and regularity of graph G k is greater than c.

Proof: We show that, Algorithm 2 fails to find a proper factor of f at the l ^th iteration of the loop iff f is l-cross balanced and regularity of G _l is greater than c. Recall the definitions of the sets ∆ ^(l) _i and D ^(l) _i , 1 ≤ i ≤ n, from section 1. The set ∆ ^(l) _i is defined as,

∆ ^(l) _i = {1 ≤ j ≤ n : p _l (ξ i ) 6= p _l (ξ j ), σ((p _l (ξ i ) − p _l (ξ j )) ² ) = −(p _l (ξ i ) − p _l (ξ j ))}

And set D ^(l) _i is defined iteratively over l as, D _i ⁽¹⁾ = ∆ ⁽¹⁾ _i

For l > 1, D _i ^(l) = D ^(l−1) _i ∩ ∆ ^(l) _i

If D _i ^(l) = φ for all i, 1 ≤ i ≤ n, then D ^(l) _i is redefined as D _i ^(l) = D ^(l−1) _i . Graph G _l , with n vertices v ₁ , . . . , v n , has an edge from v i to v j iff j ∈ D _i ^(l) .

Algorithm 2 fails at the first iteration (l = 1) if and only if f is square balanced. In this case, D ⁽¹⁾ _i = ∆ ⁽¹⁾ _i = ∆ i , the polynomial g ₁ (y) is,

g ₁ (y) = h(y) =

n

X

i=1





 Y

j∈D

⁽¹⁾_i

(y − ξ _j )





 χ _i

and G ₁ is regular with in degree and out degree of a vertex v i equal to #D ⁽¹⁾ _i = #∆ i = ⁿ⁻¹ ₂ . Thus, polynomial f is 1-cross balanced and deg(g ₁ (y)) = ⁿ⁻¹ ₂ . If Algorithm 2 fails at the l ^th iteration, then we can assume that the polynomials f = ˜ f ₁ , . . . , f ˜ _l are square free and square balanced (by Lemma 3.1).

Suppose that, Algorithm 2 fails at the l ^th iteration. Then, ˜ f l = Q m

l

j=1 x − p l (ξ s

j

) is square free and square balanced, and Algorithm 1 returns the polynomial h _l (y) ∈ R _l [y] such that,

h _l (y) =

m

l

X

j=1





 Y

r∈ ∆ ˜

^(l)_j

(y − p _l (ξ s

r

))





 χ ^(l) _j (3.2)

(10)

where χ ^(l) _j ’s are the primitive idempotents of the ring R l = ^F

^p

^[x]

( ˜ f

_l

) and,

∆ ˜ ^(l) _j = {1 ≤ r ≤ m l : r 6= j, σ((p l (ξ s

j

) − p l (ξ s

r

)) ² ) = −(p l (ξ s

j

) − p l (ξ s

r

))}

Let, h _l (y) = y ^t + α ₁ y ^t−1 + . . . + α t , where t = ^m

^l

₂ ⁻¹ and α u ∈ R _l for 1 ≤ u ≤ t. Each α u ∈ R l is a polynomial α u (x) ∈ F p [x] with degree less than m l and if α u = P m

l

j=1 a uj χ ^(l) _j for a uj ∈ F p , then by Chinese Remaindering theorem (and assuming the correspondence between χ ^(l) _j and the factor (x − p l (ξ s

j

)) of ˜ f l ) we get,

α _u (x) = q(x)(x − p _l (ξ _s

_j

)) + a _uj for some polynomial q(x) ∈ F _p [x]

⇒ α u (p l (x)) = q(p l (x))(p l (x) − p l (ξ s

j

)) + a uj

⇒ α u (p l (x)) = a uj mod (x − ξ) for every ξ ∈ {ξ 1 , . . . , ξ n } such that p l (ξ) = p l (ξ s

j

) Suppose that, for a given i (1 ≤ i ≤ n), j(i) (1 ≤ j(i) ≤ m _l ) is a unique index such that, p l (ξ i ) = p l (ξ s

_j(i)

). Then, the polynomial α ^′ _u (x) = α u (p l (x)) mod f has the following direct sum (or canonical) representation in the ring R,

α ^′ _u (x) =

n

X

i=1

a _uj(i) χ _i

This implies that the polynomial h ^′ _l (y) = y ^t + α ^′ ₁ y ^t−1 + . . . + α ^′ _t ∈ R[y] has the canonical representation,

h ^′ _l (y) =

n

X

i=1





 Y

r∈ ∆ ˜

^(l)_j(i)

(y − p _l (ξ _s

_r

))





 χ _i (3.3)

Inductively, assume that g _l−1 (y) has the form, g _l−1 (y) =

n

X

i=1





 Y

j∈D

^(l−1)_i

(y − ξ _j )





 χ _i

Then,

g l (y) = gcd g _l−1 (y), h ^′ _l (p l (y))

=

n

X

i=1

gcd





 Y

j∈D

^(l−1)_i

(y − ξ _j ), Y

r∈ ∆ ˜

^(l)_j(i)

(p _l (y) − p _l (ξ _s

_r

))





 χ _i

=

n

X

i=1







Y

j∈D

^(l−1)_i

∩∆

^(l)_i

(y − ξ j )





 χ i (as r ∈ ∆ ˜ ^(l) _j(i) ⇔ s r ∈ ∆ ^(l) _i ) Therefore,

g l (y) =

n

X

i=1





 Y

j∈D

_i^(l)

(y − ξ j )





 χ i

= β _t

^′

y ^t

^′

+ . . . + β ₀ (say)

(11)

where t ^′ = max _i

#D ^(l) _i

and β _u ∈ R for 1 ≤ u ≤ t ^′ ≤ ⁿ⁻¹ ₂ . The element β _t

^′

is not a zero divisor in R if and only if #D ₁ ^(l) = . . . = #D n ^(l) = t ^′ . If t ^′ ≤ c then a factor of f can be retrieved from g l (y) in polynomial time using already known methods ([Evd94]). The condition #D _i ^(l) = t ^′ for all i, 1 ≤ i ≤ t ^′ , makes the out degree of every vertex in G l equal to t ^′ . However, this may not necessarily imply that the in degree of every vertex in G _l is also t ^′ . Checking for identical in degrees of the vertices of G l is handled in steps (9) − (11) of the algorithm. Consider evaluating the polynomial g _l (y) at a point y s ∈ F p .

g l (y s ) =

n

X

i=1





 Y

j∈D

^(l)_i

(y s − ξ j )





 χ i ∈ R

The characteristic polynomial of g l (y s ) over F p is, c _s (x) =

n

Y

i=1





 x − Y

j∈D

_i^(l)

(y _s − ξ _j )







⇒ −c s (0) =

n

Y

j=1

(y s − ξ j ) ^k

^j

(since n is odd)

where k _j is the in degree of vertex v _j in G _l . Let r(x) = x ^nt

^′

+ r ₁ x ^nt

^′

⁻¹ + . . . + r _nt

^′

∈ F _p [x]

be a polynomial of degree nt ^′ , such that, r(y _s ) = −c _s (0) =

n

Y

j=1

(y _s − ξ _j ) ^k

^j

for nt ^′ distinct points {y s } _1≤s≤nt

^′

taken from F p . Since we have assumed that p > n ² >

n(n−1)

2 ≥ nt ^′ , we can solve for the coefficients r ₁ , . . . , r _nt

^′

using any nt ^′ distinct points from F p . Then,

r(x) =

n

Y

j=1

(x − ξ j ) ^k

^j

If k _j 6= t ^′ for some j, then there is an i = min{k ₁ , . . . , k _n } < t ^′ such that f ⁱ (x) divides r(x) and gcd

r(x)

f

ⁱ

(x) , f (x)

yields a nontrivial factor of f (x). This shows that the graph G l is regular if the algorithm fails at the l ^th step. Since deg(g l (y)) equals the regularity of G l , hence if the latter quantity is less than c then we can apply Evdokimov’s algorithm [Evd94]

on g l (y) and get a non trivial factor of f in polynomial time.

Let H l (1 ≤ l ≤ k) be a digraph with n vertices v ₁ , . . . , v n such that there is an edge

from v i to v j iff j ∈ ∆ ^(l) _i . Then, graph G l = G _l−1 ∩ H l or G l = G _l−1 (if G _l−1 ∩ H l = Φ,

where Φ is the null graph with n vertices but no edge). Here ∩ denotes the edge intersection

of graphs defined on the same set of vertices. Algorithm 2 fails to find a proper factor of f

in polynomial time if and only if there exists an l ≤ k such that G _l is t-regular (t > c) and

G l ∩ H j = G l or Φ for all j, l < j ≤ k. It is therefore important to choose the polynomials

p j (·) in such a way that very quickly we get a graph H j with G _l ∩ H j 6= G _l or Φ. We say

(12)

that a polynomial p l (·) is good if either H l is not regular or G l 6= G _l−1 (1 < l ≤ k). We show that, only a few good polynomials are required.

Lemma 3.3. Algorithm 2 (with a slight modification) requires at most ⌈log ₂ n⌉ good auxil- iary polynomials to find a proper factor of f .

Proof: Consider the following modification of Algorithm 2. At step 5 of Algorithm 2, for l > 1, take g _l (y) to be either gcd(g _l−1 (y), h ^′ _l (p _l (y))) or g _l−1 (y)/gcd(g _l−1 (y), h ^′ _l (p _l (y))), whichever has the smaller nonzero degree. Accordingly, we modify the definition of graph G l . Define the set ¯ ∆ ^(l) _i (1 ≤ i ≤ n) as,

∆ ¯ ^(l) _i = {1 ≤ j ≤ n : j 6= i, σ((p l (ξ i )−p l (ξ j )) ² ) = (p l (ξ i )−p l (ξ j ))} = {1 ≤ j ≤ n : j 6= i}−∆ ^(l) _i and modify the definition of the sets D _i ^(l) (1 ≤ i ≤ n) as,

D _i ⁽¹⁾ = ∆ ⁽¹⁾ _i

For l > 1, D i (l) = D i (l−1) ∩ ∆ ^(l) _i if g _l (y) = gcd(g _l−1 (y), h ^′ _l (p _l (y)))

= D i (l−1) ∩ ∆ ¯ ^(l) _i else if g l (y) = g _l−1 (y)/gcd(g _l−1 (y), h ^′ _l (p l (y))) As before, an edge (v i , v j ) is present in G l iff j ∈ D _i ^(l) . This modification ensures that, if g _l (y) 6= g _l−1 (y) has an invertible leading coefficient (i.e if g _l (y) is monic) then the degree of g l (y) is at most half the degree of g _l−1 (y). Hence, for every good choice of polynomial p l (·) if G _l−1 and G l are t _l−1 -regular and t l -regular, respectively, then t l ≤ ^t

^l−1

₂ . Therefore, at most ⌈log ₂ n⌉ good choices of polynomials p _l (·) are required by the algorithm.

Theorem 1.1 follows as a corollary to Theorem 3.2 and Lemma 3.3. As already pointed out in section 1, if only ǫ⌈log ₂ n⌉ good auxiliary polynomials are available for some ǫ, 0 < ǫ ≤ 1, then we obtain a nontrivial factor g(y) of f ^′ (y) with degree at most ⁿ

^1−ǫ

₂ . If we apply Evdokimov’s algorithm on g(y) instead of f ^′ (y), then the maximum dimension of the rings considered is bounded by n

^(1−ǫ)2²

^log ^n+ǫ+O(1) instead of n

^log²ⁿ

^+O(1) (as is the case in [Evd94]).

In the following discussion we briefly analyze the performance of Algorithm 2 based on uniform random choices of the auxiliary polynomials p l (.) (1 < l ≤ k). The proofs are omitted.

Lemma 3.4. If p = 3 mod 4 and p ≥ n ⁶ 2 ²ⁿ then about ^(1+o(1))

ⁿ

(

^π₂

n)

ⁿ²

fraction of all completely splitting, square-free polynomials of degree n are square balanced.

Corollary 3.5. If p = 3 mod 4, p > n ⁶ 2 ²ⁿ and p l (y) is a uniformly randomly chosen polynomial of degree (n − 1) then the probability that f _l is either not square-free or is a square-free and square balanced polynomial is upper bounded by ^(1+o(1))

ⁿ

(

^π₂

n)

ⁿ²

.

It follows that, for p = 3 mod 4 and p > n ⁶ 2 ²ⁿ , if the auxiliary polynomials p _l (·)’s are uniformly randomly chosen then Algorithm 2 works in randomized polynomial time.

However, the arguments used in the proof of Lemma 3.4 do not immediately apply to the

case p = 1 mod 4. Therefore, we resort to a more straightforward analysis, although in the

process we get a slightly weaker probability bound.

(13)

Lemma 3.6. If G l (1 ≤ l < k) is regular and p _l+1 (y) ∈ F p [y] is a uniformly randomly chosen polynomial of degree (n − 1) then G _l+1 6= G _l with probability at least 1 − ₂

0.9n−2

¹ . Thus, if polynomials p l (y), 1 < l ≤ ⌈log ₂ n⌉, are randomly chosen, then the probability that f is not factored by Algorithm 2 within ⌈log ₂ n⌉ iterations is less than ^⌈log ₂

_0.9n−2²

^n⌉ .

4. Conclusion

In this paper, we have extended the square balance test by Gao [Gao01] and showed a direction towards improving the time complexity of the best previously known deterministic factoring algorithms. Using certain auxiliary polynomials, our algorithm attempts to exploit an inherent asymmetry among the roots of the input polynomial f in order to efficiently find a proper factor. The advantage of using auxiliary polynomials is that, unlike [Evd94], it avoids the need to carry out computations in rings with large dimensions, thereby saving overall computation time to a significant extent. Motivated by the stringent symmetry requirement from the roots of f , we pose the following question:

• Is it possible to construct good auxiliary polynomials in deterministic polynomial time?

An affirmative answer to the question will immediately imply that factoring polynomials over finite fields can be done in deterministic polynomial time under ERH.

Acknowledgements

The author would like to thank Manindra Agrawal and Piyush Kurur for many insightful discussions that helped in improving the result. The suggestions from anonymous referees have significantly improved the presentation of this paper. The author is thankful to them.

References

[Ber70] E. R. Berlekamp. Factoring polynomials over large finite fields. Mathematics of Computation, 24(111):713–735, 1970.

[CH00] Qi Cheng and Ming-Deh A. Huang. Factoring polynominals over finite fields and stable colorings of tournaments. ANTS, pages 233–246, 2000.

[CZ81] David G. Cantor and Hans Zassenhaus. A new algorithm for factoring polynomials over finite fields. Mathematics of Computation, 36(154):587–592, 1981.

[Evd94] Sergei Evdokimov. Factorization of polynominals over finite fields in subexponential time under GRH. ANTS, pages 209–219, 1994.

[Gao01] Shuhong Gao. On the deterministic complexity of factoring polynomials. Journal of Symbolic Computation, 31(1–2):19–36, 2001.

[KS95] Erich Kaltofen and Victor Shoup. Subquadratic-time factoring of polynomials over finite fields.

STOC, pages 398–406, 1995.

[LN94] R. Lidl and H. Niederreiter. Introduction to finite fields and their applications, revised edition.

Cambridge University Press, 1994.

[vzGS92] Joachim von zur Gathen and Victor Shoup. Computing frobenius maps and factoring polynomials.

Computational Complexity, 2:187–224, 1992.

This work is licensed under the Creative Commons Attribution-NoDerivs License. To view a copy of this license, visithttp://creativecommons.org/licenses/by-nd/3.0/.

Factoring Polynomials over Finite Fields using Balance Test

HAL Id: hal-00255827

https://hal.archives-ouvertes.fr/hal-00255827

Submitted on 14 Feb 2008

HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

Test

Chandan Saha

To cite this version:

Chandan Saha. Factoring Polynomials over Finite Fields using Balance Test. STACS 2008, Feb 2008,

Bordeaux, France. pp.609-620. �hal-00255827�

hal-00255827, version 1 - 14 Feb 2008

FACTORING POLYNOMIALS OVER FINITE FIELDS USING BALANCE TEST

CHANDAN SAHA

Department of Computer Science and Engineering, Indian Institute of Technology, Kanpur E-mail address: [email protected]

Abstract. We study the problem of factoring univariate polynomials over finite fields.

1. Introduction

f (x) =

n

Y

i=1

(x − ξ i ) where ξ i ∈ F p

Our contribution can be summarized as follows. Let f be a monic, square-free and completely splitting polynomial in F p [x] with n roots ξ 1 , . . . , ξ n . Our factoring algorithm uses an arbitrary (but deterministically chosen) collection of k = (n log p) O(1) (n = deg(f ))

Key words and phrases: Algebraic Algorithms, polynomial factorization, finite fields.

We now present a little more details. Define the sets ∆ i for 1 ≤ i ≤ n as,

∆ i = {1 ≤ j ≤ n : j 6= i, σ((ξ i − ξ j ) 2 ) = −(ξ i − ξ j )}

where σ is the square root algorithm described in [Gao01] (see section 2.4). The polynomial f is called a square balanced polynomial (as in [Gao01]) if #∆ 1 = . . . = #∆ n . For l > 1, define polynomial f l as,

f l =

n

Y

i=1

(x − p l (ξ i ))

where p l (.) is an arbitrary but deterministically chosen polynomial with degree bounded by (n log p) O(1) . Further, p l

(.) 6= p l

(.) for l 1 6= l 2 , and f 1 is taken to be f i.e. p 1 (y) = y.

Assume that, for a given k = (n log p) O(1) , for every l, 1 ≤ l ≤ k, polynomial f l = ˜ f l d

, where ˜ f l is a square-free and square balanced polynomial and d l > 0. Later, we show that, if f l is not of the above form then a proper factor of f can be retrieved efficiently. For each polynomial f l , 1 ≤ l ≤ k, define the sets ∆ (l) i for 1 ≤ i ≤ n as,

∆ (l) i = {1 ≤ j ≤ n : p l (ξ i ) 6= p l (ξ j ), σ((p l (ξ i ) − p l (ξ j )) 2 ) = −(p l (ξ i ) − p l (ξ j ))}

Further, define the sets D i (l) iteratively over l as, D (1) i = ∆ (1) i

For l > 1, D i (l) = D i (l−1) ∩ ∆ (l) i

Note that, G 1 is regular if and only if f is square balanced, as ∆ (1) i = ∆ i , for 1 ≤ i ≤ n and

G 1 is in fact a regular tournament.

Suppose f (y) splits as f (y) = (y − X)· f ′ (y) in the quotient ring R = F (f

2 . Now if we apply Evdokimov’s algorithm ([Evd94]) on g(y) (instead of f ′ (y)), we can get a proper factor of f in time (n

log n+ǫ+c

log p) c

(c 1 and c 2 are constants). For most polynomials ǫ > 0 (i.e. at least about log 1 n ) and this gives an improvement over the time complexity of (n

log n+c

log p) c

in [Evd94] (c 1 , c 2 are the same constants).

used this choice of auxiliary polynomials to define a restricted class of square balanced polynomials called super square balanced polynomials.) We show that, if random choices of auxiliary polynomials are allowed then our algorithm works in randomized polynomial time.

For the graphs to be all regular and equal, the roots of f must satisfy a tight symmetry condition (given by equal sizes of all the sets D (l) i , for 1 ≤ i ≤ n and 1 ≤ l ≤ k) and it is only then that our algorithm fails to factor f .

Definition 1.1. A polynomial f is called k-cross balanced, for k > 0, if for every l, 1 ≤ l ≤ k, polynomial f l = ˜ f l d

, where ˜ f l is a square-free, square balanced polynomial with d l > 0, and graph G l is regular.

It follows from the definition that, 1-cross balanced polynomials form the class of square

balanced polynomials. Let k = (n log p) O(1) be some fixed polynomial in n and log p. A

polynomial f is called cross balanced if it is k-cross balanced and regularity of graph G k is

greater than a fixed constant c. From Theorem 1.1 and [Evd94] it follows that, polynomials that are not cross balanced can be factored deterministically in polynomial time.

2. Preliminaries

Assume that f is a monic, square-free and completely splitting polynomial over F p and R = F (f)

[x] is the quotient ring consisting of all polynomials modulo f .

2.1. Primitive Idempotents

Any element α = (a 1 , . . . , a n ) ∈ R can be equated as, α = P n

i=1 a i χ i where a i ∈ F p . Let g(y) be a polynomial in R[y] given by,

g(y) =

m

X

i=0

γ i y i where γ i ∈ R and γ i =

n

X

j=1

g ij χ j where g ij ∈ F p for 0 ≤ i ≤ m and 1 ≤ j ≤ n.

Then g(y) can be alternatively represented as, g(y) =

n

X

j=1

g j (y)χ j where g j (y) =

m

X

Our contribution can be summarized as follows. Let f be a monic, square-free and completely splitting polynomial in F p [x] with n roots ξ ₁ , . . . , ξ n . Our factoring algorithm uses an arbitrary (but deterministically chosen) collection of k = (n log p) ^O(1) (n = deg(f ))

∆ _i = {1 ≤ j ≤ n : j 6= i, σ((ξ _i − ξ _j ) ² ) = −(ξ _i − ξ _j )}

where σ is the square root algorithm described in [Gao01] (see section 2.4). The polynomial f is called a square balanced polynomial (as in [Gao01]) if #∆ ₁ = . . . = #∆ n . For l > 1, define polynomial f _l as,

f _l =

(x − p _l (ξ i ))

where p l (.) is an arbitrary but deterministically chosen polynomial with degree bounded by (n log p) ^O(1) . Further, p _l

(.) 6= p _l

(.) for l ₁ 6= l ₂ , and f ₁ is taken to be f i.e. p ₁ (y) = y.

Assume that, for a given k = (n log p) ^O(1) , for every l, 1 ≤ l ≤ k, polynomial f l = ˜ f _l ^d

, where ˜ f _l is a square-free and square balanced polynomial and d _l > 0. Later, we show that, if f _l is not of the above form then a proper factor of f can be retrieved efficiently. For each polynomial f l , 1 ≤ l ≤ k, define the sets ∆ ^(l) _i for 1 ≤ i ≤ n as,

∆ ^(l) _i = {1 ≤ j ≤ n : p _l (ξ _i ) 6= p _l (ξ _j ), σ((p _l (ξ _i ) − p _l (ξ _j )) ² ) = −(p _l (ξ _i ) − p _l (ξ _j ))}

Further, define the sets D i (l) iteratively over l as, D ⁽¹⁾ _i = ∆ ⁽¹⁾ _i

For l > 1, D _i ^(l) = D _i ^(l−1) ∩ ∆ ^(l) _i

Note that, G ₁ is regular if and only if f is square balanced, as ∆ ⁽¹⁾ _i = ∆ _i , for 1 ≤ i ≤ n and

G ₁ is in fact a regular tournament.

Suppose f (y) splits as f (y) = (y − X)· f ^′ (y) in the quotient ring R = ^F _(f

₂ . Now if we apply Evdokimov’s algorithm ([Evd94]) on g(y) (instead of f ^′ (y)), we can get a proper factor of f in time (n

^log ^n+ǫ+c

log p) ^c

(c ₁ and c ₂ are constants). For most polynomials ǫ > 0 (i.e. at least about _log ¹ _n ) and this gives an improvement over the time complexity of (n

^log ^n+c

log p) ^c

in [Evd94] (c ₁ , c ₂ are the same constants).

For the graphs to be all regular and equal, the roots of f must satisfy a tight symmetry condition (given by equal sizes of all the sets D ^(l) _i , for 1 ≤ i ≤ n and 1 ≤ l ≤ k) and it is only then that our algorithm fails to factor f .

Definition 1.1. A polynomial f is called k-cross balanced, for k > 0, if for every l, 1 ≤ l ≤ k, polynomial f _l = ˜ f _l ^d

, where ˜ f _l is a square-free, square balanced polynomial with d _l > 0, and graph G l is regular.

balanced polynomials. Let k = (n log p) ^O(1) be some fixed polynomial in n and log p. A

Assume that f is a monic, square-free and completely splitting polynomial over F _p and R = ^F _(f)

^[x] is the quotient ring consisting of all polynomials modulo f .

Any element α = (a ₁ , . . . , a _n ) ∈ R can be equated as, α = P n

i=1 a _i χ _i where a _i ∈ F _p . Let g(y) be a polynomial in R[y] given by,

γ _i y ⁱ where γ _i ∈ R and γ i =

g ij y ⁱ ∈ F p [y] for 1 ≤ j ≤ n.

The usefulness of this representation is that, operations on polynomials in R[y] (multi- plication, gcd etc.) can be viewed as componentwise operations on polynomials in F _p [y].

In order to construct c α one can use 1, X, X ² , . . . , X ⁿ⁻¹ as the basis in R and form the matrix (m _ij ) where α · X ^j−1 = P n

i=1 m _ij X ⁱ⁻¹ , m _ij ∈ F _p , 1 ≤ i, j ≤ n. Then c _α can be

coefficients of c _α using linear algebra. The process takes only polynomial time. The notion

i=1 h i (y)χ i be two polynomials in R[y], where g _i , h _i ∈ F _p [y] for 1 ≤ i ≤ n . Then, gcd of g and f is defined as,

gcd(g _i , h _i )χ _i

Let R = ^F _(f)

^[x] = F _p [X] where X = x mod f and suppose that f (y) splits in R as, f (y) = (y − X)f ^′ (y). Define quotient ring S as, S = ^R[y] _(f

(1) Let µ ₁ , . . . , µ _n

i=1 a _i µ _i ∈ S where a _i ∈ F _p . Then, σ(α) = P n

i=1 σ(a _i )µ _i .

(2) Let a = η û θ where θ ∈ F _p with θ ^w = 1 and 0 ≤ u < 2 ê . Then σ(a ² ) = a iff u < 2 ê−1 . When p = 3 mod 4, η = −1 and property 2 implies that σ(a ² ) = a for a ∈ F p iff a is a quadratic residue in F p .

2. Compute C = ¹ ₂ (X + Y + σ((X − Y ) ² )) ∈ S.

4. Decompose c(y) as c(y) = h(y)(y − X) ^t , where t is the largest possible.

where ∆ _i = {j : j 6= i, σ((ξ _i − ξ _j ) ² ) = −(ξ _i − ξ _j )} and #∆ _i = ⁿ⁻¹ ₂ for all i, 1 ≤ i ≤ n.